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FOREWORD 


Public  government  statements  have  cited  cyber¬ 
attacks  by  terrorists  as  a  major  concern  for  national 
security.  To  date,  no  large-scale  cyber-terrorist  attack 
has  been  observed,  but  terrorists  are  known  to  be  us¬ 
ing  the  Internet  for  various  routine  purposes.  The  dis¬ 
covery  of  Stuxnet  in  2010  was  a  milestone  in  the  arena 
of  cybersecurity  because,  although  a  malware  attack 
on  industrial  control  systems  was  long  believed  to  be 
theoretically  possible,  it  was  different  to  see  malware 
used  in  reality  to  cause  real  physical  damage.  Stuxnet 
demonstrated  that  a  sufficiently  determined  adver¬ 
sary  with  sufficient  resources  might  be  able  to  dam¬ 
age  U.S.  critical  infrastructure  physically  through  a 
cyber  attack.  Did  Stuxnet  change  the  threat  of  cyber¬ 
terrorism? 

This  monograph  examines  cyberterrorism  before 
and  after  Stuxnet  by  addressing  three  questions;  1) 
Motive  —  Are  terrorists  interested  in  launching  cyber¬ 
attacks  against  U.S.  critical  infrastructures?  2)  Means 
—  Are  terrorists  building  capabilities  and  skills  for 
cyberattacks?  and,  3)  Opportunity  — How  vulnerable 
are  U.S.  critical  infrastructures?  Answers  to  these 
questions  give  a  characterization  of  the  post-Stuxnet 
cyberterrorism  threat.  The  next  question  is  why  a  ma¬ 
jor  cyber- terrorist  attack  has  not  happened  yet;  this  is 
explained  from  a  cost-benefit  perspective.  Although 
cyberterrorism  may  not  be  an  imminent  threat,  there 
are  reasons  to  be  concerned  about  the  long-term  threat 
and  inevitability  of  cyberattacks. 

It  is  important  to  assess  frequently  the  threat 
landscape  and  current  government  policies  for  en¬ 
hancing  the  protection  of  national  infrastructures. 
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Therefore,  the  Strategic  Studies  Institute  commends 
this  monograph  to  its  readers. 


DOUGLAS  C.  LOVELACE,  JR. 
Director 

Strategic  Studies  Institute  and 
U.S.  Army  War  College  Press 
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SUMMARY 


Terrorists  are  known  to  use  the  Internet  for  com¬ 
munications,  planning,  recruitment,  propaganda,  and 
reconnaissance.  They  have  shown  interest  in  carry¬ 
ing  out  cyberattacks  on  U.S.  critical  infrastructures, 
although  no  such  serious  attacks  are  known  pub¬ 
licly  to  have  occurred.  The  discovery  of  the  Stuxnet 
malware  in  July  2010,  and  its  analysis  over  the  next 
several  months,  was  widely  believed  to  have  been  a 
landmark  event  in  cybersecurity,  because  it  showed 
that  cyberattacks  against  industrial  control  systems, 
hypothesized  for  a  long  time,  are  actually  possible. 
After  Stuxnet,  there  were  public  concerns  that  terror¬ 
ists  might  be  encouraged  to  acquire  capabilities  for 
similar  cyberattacks. 

This  monograph  examines  cyberterrorism  before 
and  after  Stuxnet  by  addressing  questions  of: 

1.  Motive  — Are  terrorists  interested  in  launching 
cyberattacks  against  U.S.  critical  infrastructures? 

2.  Means  — Are  terrorists  building  capabilities  and 
skills  for  cyberattacks? 

3.  Opportunity  —  How  vulnerable  are  U.S.  critical 
infrastructures? 

It  is  noted  that  no  serious  cyberterrorism  attacks 
have  occurred  after  Stuxnet.  This  can  be  explained 
from  a  cost-benefit  perspective  that  has  not  changed 
since  Stuxnet.  It  can  be  argued  that  U.S.  policies  can 
really  address  vulnerabilities  only  by  strengthening 
defenses  of  critical  infrastructures. 
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CYBERTERRORISM  AFTER  STUXNET 


INTRODUCTION 

There  have  been  widely  publicized  government 
concerns  that  terrorists  might  be  turning  to  cyberat¬ 
tacks.  For  instance.  Federal  Bureau  of  Investigation 
(FBI)  Director  Robert  Mueller  testified  to  a  Senate  Ap¬ 
propriations  Subcommittee  in  March  2012  that  "while 
to  date  terrorists  have  not  used  the  Internet  to  launch  a 
full-scale  cyber  attack,  we  cannot  underestimate  their 
intent.  .  .  .  (terrorists  are)  using  cyberspace  to  conduct 
operations."^  Cited  examples  of  terrorist  "cybersavvy" 
included  al-Qaeda  in  the  Arabian  Peninsula,  which 
publishes  an  online  magazine  entitled  Inspire,  and 
the  use  of  Twitter  by  the  Somali  group  Al-Shabaab. 
The  prospect  of  cyberterrorism  is  understandably 
troubling,  because  of  the  wide  range  of  possible  tar¬ 
gets  and  attack  vectors,  which  would  be  challenging 
in  terms  of  defense.  In  theory,  terrorists  of  sufficient 
skills  might  be  able  to  attack  the  power  grid,  air  traffic, 
public  transport,  financial  networks,  communication 
networks,  emergency  response,  utilities,  manufactur¬ 
ing  plants,  or  military  networks.  Possible  cyberattacks 
could  range  from  blatant  distributed  denial  of  service 
(DDoS)  or  sabotage,  to  more  stealthy  attacks  for  data 
theft  or  remote  control. 

According  to  Gabriel  Weimann,  "psychologi¬ 
cal,  political,  and  economic  forces  have  combined  to 
promote  the  fear  of  cyber  terrorism."^  The  concept 
combines  two  modern  psychological  fears;  the  fear  of 
random  violence  and  the  fear  of  computer  technology. 
Also,  cyberterrorism  has  been  caught  up  in  the  U.S. 
political  aftermath  of  September  11, 2001  (9/11),  when 
more  terrorist  attacks  seemed  to  be  a  distinct  possibil- 
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ity,  and  the  United  States  felt  vulnerable.  The  prospect 
of  cyberattacks  causing  catastrophic  damage  from  a 
remote  computer  seemed  like  the  ultimate  threat,  per¬ 
haps  hyped  beyond  the  actual  threat  level.  Weimann 
states  that  a  threat  is  real  but  must  be  assessed  realisti¬ 
cally  without  overdue  emotional  influences. 

The  first  obstacle  in  assessing  cyberterrorism  are 
the  various  definitions  that  have  been  proposed.  No 
single  definition  has  been  universally  accepted  (just  as 
a  common  definition  of  terrorism  has  been  elusive) .  The 
term  might  be  traced  back  originally  to  Barry  Collin,^ 
who  noted  that  physical  infrastructures  increasingly 
are  controlled  by  computers,  and  that  dependence  on 
computer  networks  increased  our  vulnerability  to  cy¬ 
berattacks.  Examples  of  potential  targets  for  cyberat¬ 
tacks  included:  financial  systems  to  disrupt  stock  ex¬ 
changes;  air-traffic  control  to  crash  aircraft;  pressure 
valves  in  gas  lines  to  cause  explosions;  and  computer 
controls  at  pharmacies  or  food  processing  plants  to 
poison  the  population.  Like  traditional  terrorist  acts, 
cyberterrorism  exhibits  scale  (mass  destruction)  and 
publicity.  Collin  postulated  that  cyberattacks  would 
appeal  logically  to  terrorists  for  their  relative  ease  and 
safety.  At  the  same  time,  Collin  predicted  that  cyber¬ 
terrorism  would  create  new  challenges  to  counter  ter¬ 
rorism  because  of  the  need  to  acquire  cyber  expertise 
and  eliminate  vulnerabilities  in  critical  infrastructures. 

Professor  Dorothy  Denning  offered  a  definition 
of  "cyberterrorism"  in  testimony  before  the  House 
Armed  Services  Committee  in  May  2000  that  has  been 
widely  cited: 

Cyberterrorism  is  the  convergence  of  terrorism  and  cy¬ 
berspace.  It  is  generally  understood  to  mean  unlawful 

attacks  and  threats  of  attack  against  computers,  net- 
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works  and  the  information  stored  therein  when  done 
to  intimidate  or  coerce  a  government  or  its  people  in 
furtherance  of  political  or  social  objectives.  Further,  to 
qualify  as  cyberterrorism,  an  attack  should  result  in 
violence  against  persons  or  property,  or  at  least  cause 
enough  harm  to  generate  fear.  Attacks  that  lead  to 
death  or  bodily  injury,  explosions,  plane  crashes,  wa¬ 
ter  contamination,  or  severe  economic  loss  would  be 
examples.  Serious  attacks  against  critical  infrastruc¬ 
tures  could  be  acts  of  cyberterrorism,  depending  on 
their  impact.  Attacks  that  disrupt  nonessential  ser¬ 
vices  or  that  are  mainly  a  costly  nuisance  would  not.^ 

A  more  concise  (definition  is  "politically  motivate(i 
hacking  operations  intende(i  to  cause  grave  harm  such 
as  loss  of  life  or  severe  economic  (damage."^  This  (defi¬ 
nition  consists  of  three  parts:  1)  politically  driven  in¬ 
tention;  2)  serious  effects;  and,  3)  computer  networks 
as  the  means.  This  meaning  shares  commonalities 
with  the  U.S.  Department  of  State  definition  of  terror¬ 
ism  in  Title  22  of  the  U.S.  Code,  Section  2656f(d):  "Pre¬ 
meditated  politically  motivated  violence  perpetrated 
against  noncombatant  targets  by  subnational  groups 
or  clandestine  agents,  usually  intended  to  influence  an 
audience."^ 

Generally,  Denning's  definition  of  cyberterrorism 
is  the  one  used  here.  Definitions  are  problematic,  be¬ 
cause  complicated  scenarios  could  be  imagined.  For 
example,  a  physical  attack  on  computers  controlling 
critical  infrastructures  could  cause  serious  harm;  in 
this  case,  computers  are  the  target  but  not  the  means. 
Also,  terrorists  use  computer  networks  for  recruiting, 
planning,  communications,  and  target  reconnaissance. 
These  are  routine  activities  that  most  people  use  the 
Internet  for,  but  might  be  argued  to  be  cyberterrorism 
in  the  sense  of  "cyber  activities  supporting  terrorism." 
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Aside  from  the  problem  of  definition,  there  is  the 
practical  problem  of  determining  whether  a  particu¬ 
lar  cyberattack  qualifies  as  cyberterrorism/  First,  at¬ 
tribution  of  cyberattacks  to  the  real  attacker  is  diffi¬ 
cult  and  often  impossible.  Attackers  can  compromise 
other  computers  to  use  as  intermediaries,  or  channel 
through  anonymizing  proxies  that  hide  their  Internet 
protocol  (IP)  address.  Second,  the  complete  effects  of 
an  attack  might  be  concealed,  e.g.,  if  stealthy  malware 
has  been  installed  without  detection.  Third,  even  if 
attribution  is  solved,  there  is  another  problem:  de¬ 
termining  the  intent  of  the  attacker.  For  instance,  it 
would  be  difficult  to  determine  if  a  hacking  group  is 
acting  for  its  own  gain  or  was  hired  by  another  party. 

Aside  from  definitions,  the  cyberterrorism  litera¬ 
ture  has  addressed  mostly;  1)  how  terrorists  use  the 
Internet  for  propaganda,  recruiting,  fund  raising,  in¬ 
telligence  gathering,  and  planning;  2)  vulnerabilities 
in  critical  infrastructures,  providing  opportunities  for 
cyberattacks;  and,  3)  whether  cyberterrorism  is  a  real 
threat.  Most  of  the  literature  understandably  predates 
Stuxnet,  since  the  discovery  of  Stuxnet  was  relatively 
recent.  Stuxnet  vividly  demonstrated  to  the  world 
that  industrial  systems  can  be  sabotaged  physically  by 
malware,  a  threat  long  believed  to  be  possible  by  the 
cybersecurity  community  but  not  actually  observed. 
The  literature  has  not  really  explored  whether  Stuxnet 
had  any  effect  on  cyberterrorism. 

This  monograph  examines  cyberterrorism  before 
and  after  Stuxnet  by  addressing  these  questions:  1) 
Motive  — Are  terrorists  interested  in  launching  cy¬ 
berattacks  against  U.S.  critical  infrastructures?  2) 
Means  — Are  terrorists  building  capabilities  and  skills 
for  cyberattacks?  and,  3)  Opportunity  — Flow  vulner¬ 
able  are  U.S.  critical  infrastructures?  It  is  noted  that 
no  serious  cyberterrorism  attacks  have  occurred  af- 
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ter  Stuxnet;  this  can  be  explained  from  a  cost-benefit 
perspective,  which  has  not  changed  since  Stuxnet. 
In  that  sense,  cyberterrorist  attacks  do  not  seem  to 
be  imminent,  although  Stuxnet  has  implications  for 
the  cost-benefit  weights  of  potential  future  attacks. 
It  can  be  argued  that  U.S.  policies  can  really  address 
only  the  opportunities  for  terrorism  (but  not  motive 
or  means)  by  strengthening  the  defenses  of  critical 
infrastructures. 

STUXNET 

Stuxnet  was  a  milestone  in  the  field  of  cyber  sce- 
curity.  Although  experts  had  long  believed  that  a 
malware  attack  on  industrial  control  systems  was 
possible,  it  was  different  to  see  it  used  in  reality  as 
a  surgical  strike  against  an  enemy's  infrastructure. 
Stuxnet  revealed  the  level  of  sophistication  required 
for  a  "weaponized"  malware. 

The  unusual  size  and  sophistication  of  Stuxnet, 
discovered  in  June  2010,  took  a  team  of  antivirus  com¬ 
panies  several  months  to  diagnose  its  functions  fully. 
Today,  Stuxnet  is  well  understood®  and  documented® 
but  still  surprising  in  the  level  of  effort  invested  by  the 
terrorists  and  its  technical  sophistication.  The  descrip¬ 
tion  of  Stuxnet  here  is  summarized  from  the  literature. 

Stuxnet  stood  out  from  typical  malware  due  to  its 
large  size  (around  500  kilobytes  [kb])  and  complexity. 
It  was  unusual  in  that  it  used  two  stolen  digital  certifi¬ 
cates  and  multiple  zero-day  exploits.  As  zero-day  ex¬ 
ploits  are  valuable,  typical  malware  usually  contains 
at  most  one  zero-day  (or  often  none,  as  reused  known 
exploits  can  still  be  effective  against  unpatched  tar¬ 
gets).  The  level  of  investment  suggests  that  the  target 
was  considered  very  valuable,  but  it  took  months  to 
analyze  the  payload  and  ascertain  the  probable  target. 
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Methods  of  Spreading. 

The  initial  infection  vector  was  suspected  to  be  a 
removable  drive  because  the  target  network  was  not 
connected  to  the  Internet.  Once  a  personal  computer 
(PC)  has  been  infected,  Stuxnet  uses  various  means  to 
spread  through  local  networks  to  other  PCs: 

•  Stuxnet  detects  the  presence  of  removable 
drives  (probably  a  universal  serial  bus  [USB] 
flash)  and  installs  several  files  for  infecting  a 
Windows  PC,  exploiting  a  vulnerability  in  the 
processing  of  shortcuts  and  .Ink  files  (MSIO- 
046).  When  the  infected  drive  is  opened  in  a  PC, 
Stuxnet's  binaries  will  be  executed. 

•  Stuxnet  exploits  a  vulnerability  in  the  Win¬ 
dows  Print  Spooler  service  to  spread  by  send¬ 
ing  a  malicious  print  request  to  a  target  PC  over 
a  remote  procedure  call  (RPC). 

•  Stuxnet  exploits  an  old  vulnerability  in  Win¬ 
dows  Server  Service  (MS08  067)  which  does  not 
properly  handle  specially  crafted  RPC  requests. 

•  Stuxnet  spreads  to  other  PCs  through  network 
shares. 

•  Stuxnet  takes  advantage  of  a  hard-coded  de¬ 
fault  password  in  Siemens  Simatic  WinCC  soft¬ 
ware  (CVE-2010-2772).  The  password  allows 
privileged  access  to  a  back-end  WinCC  data¬ 
base.  Once  connected  to  the  database,  Stuxnet 
injects  a  copy  of  itself  into  the  database,  thereby 
infecting  the  PC  running  the  WinCC  database. 
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Target. 


While  Stuxnet  is  capable  of  spreading  more  aggres¬ 
sively,  it  is  interested  only  in  Windows  PCs  running 
Simatic  Step  7  software,  because  the  ultimate  target 
was  a  Siemens  Simatic  S7  PLC  (programmable  logic 
controller).  Stuxnet  contains  code  to  test  that  the  tar¬ 
get  is  correct.  Also,  the  analysis  of  the  payload  pointed 
to  a  Siemens  Simatic  S7  PLC  target.  PLCs  are  special¬ 
ized  computers  used  widely  to  control  various  types 
of  industrial  equipment  found  in  factories,  assembly 
lines,  manufacturing  plants,  and  critical  infrastruc- 
tures.^°  Like  PCs,  PLCs  are  programmable  for  flexibil¬ 
ity  but  differ  in  a  few  important  respects:  they  are  for 
more  rugged  environments  and  for  specific  real-time 
applications;  they  are  not  connected  to  the  Internet  or 
wide-area  networks;  and,  they  are  typically  equipped 
with  more  elaborate  input/  output  interfaces  than  PCs. 
PLCs  are  commonly  connected  to  a  programming  de¬ 
vice  —  usually  a  regular  PC  —  and  disconnected  after  a 
program  is  loaded. 

Stuxnet  is  interested  only  in  Siemens  Simatic  S7 
PLCs,  which  are  programmed  by  Windows  PCs  run¬ 
ning  Simatic  Step  7  software.^^  After  Stuxnet  infects  a 
PC  running  Simatic  Step  7,  Stuxnet  will  then  load  its 
own  malicious  blocks  into  a  connected  Simatic  S7  PLC. 
The  malicious  blocks  are  capable  of  hiding  their  pres¬ 
ence  from  the  human  operator.  Stuxnet  also  checks 
the  type  of  central  processing  unit  (CPU)  in  the  PLC, 
the  presence  of  Profibus  (a  standard  industrial  net¬ 
work  bus),  and  the  presence  of  at  least  33  frequency 
converter  drives  made  by  Fararo  Paya  (Iran)  or  Vacon 
(Finland).  The  reason  is  that  the  payload  evidently  is 
aimed  at  affecting  these  specific  frequency  converter 
drives.  The  creators  of  Stuxnet  had  knowledge  that 
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the  intended  target  PLCs  would  have  these  frequency 
converter  drives. 

Payload. 

Stuxnet  chooses  one  of  three  infection  sequences 
for  delivering  the  payload,  depending  on  the  config¬ 
uration  of  the  Siemens  Simatic  S7  PLC.  In  actuality, 
the  first  two  sequences  are  similar,  while  the  third  se¬ 
quence  is  disabled;  hence,  there  is  essentially  one  in¬ 
fection  sequence  and  one  payload.  The  payload  gives 
Stuxnet  the  capability  to  modify  data  to  and  from  the 
connected  frequency  converter  drives.  By  modifying 
the  data,  Stuxnet  can  alter  the  operating  frequencies 
of  the  drives  to  make  them  fail  over  time.  According 
to  later  reports,  the  target  was  Iran's  Natanz  uranium 
enrichment  plant;  the  sabotage  was  deliberately  subtle 
so  that  the  human  operators  would  be  mystified  about 
the  cause.^^ 

According  to  the  control  systems  security  firm 
Langner  Communications,  the  payload  in  Stuxnet  also 
attempts  to  disrupt  turbine  control  systems.  If  this  the¬ 
ory  is  valid,  it  would  suggest  that  Stuxnet  could  have 
been  created  for  Iran's  Bushehr  nuclear  power  plant 
as  well  as  the  Natanz  uranium-enrichment  plant.  The 
payload  modules  aimed  at  the  turbine  control  systems 
at  Bushehr  appear  to  carry  out  a  man-in-the-middle 
attack  in  order  to  pass  fake  input  and  output  values  to 
the  genuine  plant  control  code,  presumably  to  disrupt 
the  turbine  control  systems. 

Significance  and  Implication. 

Most  malware  is  intended  for  computer  systems 
(e.g.,  stealing  data,  establishing  backdoors),  but  Stux¬ 
net  was  clearly  designed  for  real-world  damage  (sabo- 
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tage)  of  industrial  control  systems.  Moreover,  it  was 
crafted  deliberately  to  deliver  a  payload  to  a  specific 
high-value  target.  Stuxnet  is  too  specific  to  worry 
about  its  reuse  by  terrorists.  Even  if  terrorists  acquired 
a  copy  of  the  source  code,  it  would  take  an  enormous 
amount  of  effort  to  re-engineer  a  different  payload. 
Most  likely  different  exploits  would  be  needed  be¬ 
cause  the  exploits  used  by  Stuxnet  have  mostly  been 
patched  since  its  discovery. 

More  worrisome  is  that  Stuxnet  demonstrates  that 
a  sufficiently  determined  adversary  with  sufficient 
resources  might  be  able  to  damage  U.S.  critical  infra¬ 
structure  physically  through  a  cyberattack.  The  level 
of  effort  to  create  Stuxnet  has  been  estimated  to  cost 
millions  of  dollars,  so  the  required  resources  would 
be  very  substantial.  However,  that  cost  is  not  beyond 
the  budget  of  large  terrorist  organizations.  Terrorists 
do  not  have  to  invest  in  creating  their  own  custom- 
built  malware,  but  eventually  will  be  able  to  buy  at¬ 
tack  tools  from  criminal  organizations  or  friendly 
nations.  Stuxnet  has  gotten  the  attention  of  the  world 
by  promoting  an  arms  race  to  develop  offensive  (and 
defensive)  cybercapabilities  among  nations  and  the 
underground. 

In  summary,  Stuxnet  changed  a  theoretical  hy¬ 
pothesis  into  reality;  terrorists  now  know  that  cyber¬ 
attacks  are  not  limited  to  computers,  and  investment 
in  cyberattacks  can  actually  pay  off  in  real-world 
"breaking  things  and  killing  people."  There  is  more 
likely  to  be  a  long-term  affect  than  a  short-term  one. 
The  following  sections  ask  if  Stuxnet  has  had  an  ef¬ 
fect  in  terms  of  motive,  means,  and  opportunity 
for  terrorists. 
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TERRORIST  MOTIVES  AND  INTEREST 
IN  CYBER  ATTACKS 


There  are  many  logical  reasons  to  expect  terrorists 
to  be  interested  in  cyberterrorismd^  First,  consider  their 
motivations.  Their  main  aim  is  clearly  to  gain  visibil¬ 
ity  and  influence  by  creating  fear  through  "breaking 
things  and  killing  people."^'^  Lesser  goals  are  to  main¬ 
tain  their  operations  and  carry  out  their  activities,  e.g., 
fund  raising,  planning,  recruitment,  and  intelligence 
gathering.  The  cyber  domain  offers  several  benefits  to 
achieve  those  aims: 

•  Anonymous  communications  with  other 
terrorists; 

•  Personal  safety  compared  to  physical  attacks 
(e.g.,  bombs,  suicide  missions); 

•  Easy  access  to  online  data  about  potential  tar¬ 
gets; 

•  Low  cost  (PC  or  smart  phone); 

•  Availability  of  abundance  of  cyber  attack  tools; 

•  Low  skill  entry:  many  attack  tools  are  automat¬ 
ed,  needing  little  expertise; 

•  Remote  access  to  vulnerable  targets; 

•  Reachability  to  any  network-connected  target; 

•  Connection  to  a  worldwide  audience  for  pro¬ 
paganda; 

•  Asymmetry:  small  terrorist  groups  can  carry 
out  large-scale  attacks. 

Terrorist  Uses  of  the  Internet. 

It  has  been  well  documented  that  terrorists  are 
knowledgeable  about  computers  and  use  the  Internet 
regularly  for  various  activities  supporting  terrorism. 
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such  as  propaganda,  recruiting,  communications, 
planning,  and  intelligence  gathering. A  recent  Unit¬ 
ed  Nations  (UN)  Office  on  Drugs  and  Crime  reporh^ 
found  that  terrorists  use  the  Internet  to: 

•  Spread  propaganda  related  to  instruction, 
explanations,  justifications,  or  promotion  of 
terrorist  activities; 

•  Incite  violence; 

•  Recruit  and  radicalize  individuals; 

•  Raise  funds  through  direct  solicitation,  e-com¬ 
merce,  the  exploitation  of  online  payment  tools, 
and  through  charitable  organizations; 

•  Train  followers  for  combat  tactics,  the  use  of 
explosives  and  of  weapons; 

•  Plan  and  coordinate  attacks,  often  involving 
covert  communication  among  several  parties. 

Internet  usage  has  increased  with  changes  in  ter¬ 
rorist  organizations.  In  the  past,  terrorist  groups  have 
been  mostly  hierarchical,  which  is  a  more  effective 
structure  for  carrying  out  tasks  and  missions.  More 
recently,  terrorist  groups  such  as  al-Qaeda  and  Hamas 
have  been  organized  as  loosely  interconnected,  semi- 
independent  cells  without  a  single  commanding  hier¬ 
archy,  for  resilience  against  disruption  or  capture.  The 
Internet  is  vital  for  facilitating  communications  and 
coordination  among  loosely  interconnected  groups. 

Denning  pointed  out  that  it  is  not  simply  that  ter¬ 
rorists  are  using  the  Internet,  but  more  significantly, 
that  the  Internet  has  transformed  the  current  practice 
of  terrorism.^^  For  instance,  most  terrorist  groups  now 
have  a  Web  presence.  Al-Qaeda  has  been  using  the 
Web  since  the  late-1990s,  initially  through  the  website, 
alneda.com.  Today  al-Qaeda  has  thousands  of  websites. 
Jihadist  websites  are  used  to  distribute  a  wide  variety 
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of  materials  such  as  the  writings  and  recordings  of 
Osama  bin  Laden,  Ayman  al-Zawahiri,  and  other  al- 
Qaeda  leaders;  videos  of  bombings  and  other  terrorist 
acts;  fatwas  (religious  edicts);  electronic  magazines; 
training  manuals  and  videos;  news  reports;  calls  to  join 
the  jihad;  and  software  tools.  Al-Qaeda's  online  train¬ 
ing  materials  have  evidently  been  useful  for  planning 
attacks.  Reportedly,  the  principal  architect  of  the  9/11 
attacks,  Khalid  Shaikh  Mohammed,  trained  high-level 
al-Qaeda  operatives  in  the  use  of  encryption  (terror¬ 
ists  have  been  captured  with  encrypted  files  on  their 
computers). 

Besides  the  Web,  terrorists  have  established  groups 
on  social  networking  sites.  Marc  Sageman  (author  of 
Leaderless  Jihad)  has  noted  that  websites  are  used  pri¬ 
marily  for  distributing  materials  and  propaganda,  but 
it  is  through  interactive  forums  and  chat  rooms  that 
relationships  are  built  and  personal  bonding  takes 
place.  Individuals  are  drawn  online  with  little  risk 
or  cost,  from  anywhere  in  the  world.  They  can  sup¬ 
port  terrorism  without  necessarily  having  to  acquire 
or  handle  explosives  or  anything  directly  harmful 
to  people. 

In  November  2003,  the  Saudi-owned  London  daily 
Al-Shrq  al-Awsat  reported  that  al-Qaeda  had  opened  a 
virtual  university  on  the  Internet  called  al-Qaeda  Uni¬ 
versity  for  Jihad  Sciences.  It  includes  colleges  for  tech¬ 
nologies  related  to  explosive  devices  and  to  electronic 
and  media  jihad. 

Interest  in  Cyberattacks. 

Terrorists  have  been  active  online  but  not  at  a  level 
of  sophistication  comparable  to  that  of  Stuxnet.  Per¬ 
haps  one  of  the  first  reported  incidents  was  in  1997. 
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A  group  called  Internet  Black  Tigers,  aligned  with  the 
Liberation  Tigers  of  Tamil  Eelam  (LTTE),  claimed  re¬ 
sponsibility  for  "suicide  email  bombings"  against  Sri 
Lankan  embassies  over  a  2-week  period.  The  cyberat- 
tacks  consisted  of  disk-operating  systems  and  Web 
defacements. 

Many  forums  have  sprung  up  to  distribute  manu¬ 
als  and  tools  for  hacking,  and  to  promote  and  coor¬ 
dinate  cyberattacks  (sometimes  called  "electronic 
jihad").  Sites  such  as  7hj.7hj.com  teach  surfers  the  art 
of  computer  attacks  and  trains  individuals  in  hacking 
skills  to  serve  Islam.  A  2006  report  by  the  Jamestown 
Foundation  reported  that  most  radical  jihadi  forums 
devote  an  entire  section  to  hacking.^®  For  example,  it 
reported  that  the  al-Ghorabaa  site  published  informa¬ 
tion  about  how  to  penetrate  computer  devices  and  in¬ 
tranet  servers  and  steal  passwords,^®  including  a  344- 
page  book  on  hacking  techniques.^” 

Al-Qaeda  has  long  supported  "electronic  jihad," 
particularly  as  a  means  of  disrupting  the  U.S.  econo¬ 
my.  While  truck  bombs  could  accomplish  a  great  deal 
of  physical  damage,  there  would  not  be  much  damage 
to  the  U.S.  economy.  On  the  other  hand,  a  cyberattack 
might  have  a  chance  to  take  down  the  entire  financial 
services  network.  Muhammad  bin  Ahmad  as-Salim, 
in  a  book  entitled  39  Ways  to  Serve  and  Participate  in 
Jihad,  encourages  the  use  of  electronic  jihad  as  one  of 
the  ways  to  support  al-Qaeda.  In  another  book  en¬ 
titled  al-Zarqawi  -  al-Qaeda's  Second  Generation,  jour¬ 
nalist  Fouad  Flussein  describes  a  seven-phase  war  by 
al-Qaeda  in  which  the  organization  plans  to  take  over 
the  world  and  turn  it  into  an  Islamic  state.^^ 

Phase  1  consisted  of  raising  the  consciousness  of 
Muslims  worldwide  after  the  9/11  attacks.  Phase  4, 
spanning  2010  to  2013,  included  cyberterrorism  to 
damage  the  U.S.  economy. 


13 


After  9/11,  Osama  bin  Laden  was  quoted  by  the 
Pakistani  newspaper  Ausaf  as  saying: 

Hundreds  of  young  men  had  pledged  to  him  that  they 
were  ready  to  die  and  that  hundreds  of  Muslim  scien¬ 
tists  were  with  him  and  who  would  use  their  knowl¬ 
edge  in  chemistry,  biology  and  ranging  from  comput¬ 
ers  to  electronics  against  the  infidelsA 

This  suggested  that  bin  Laden  had  some  capa¬ 
bilities  of  launching  cyberattacks.  Al-Qaeda  prison¬ 
ers  have  told  interrogators  about  their  intent  to  use 
cyberattack  tools,  and  captured  al-Qaeda  computers 
have  been  found  to  contain  schematics  and  software 
for  simulating  catastrophic  scenarios  of  a  dam.^^  Al- 
Qaeda  computers  have  also  reportedly  contained  evi¬ 
dence  of  surveillance  of  nuclear  power  plants,  dams, 
and  other  critical  infrastructures.^^  Lamar  Smith,  a 
Representative  from  Texas,  reported  that  Congress 
has  been  briefed  on  al-Qaeda  operatives  probing  the 
electronic  infrastructure  in  search  of  ways  to  disrupt 
or  disable  power,  phones,  and  water  supplies.  Smith 
claimed,  "There  is  a  50  percent  chance  that  the  next 
time  al  Qaeda  terrorists  strike  the  United  States,  their 
attack  will  include  a  cyberattack. 

Has  Stuxnet  increased  terrorist  interest  in  cyberat¬ 
tacks  on  U.S.  critical  infrastructure?  In  late-2010,  the 
popular  Al-Shamukh  jihadist  forum  called  for  attacks 
on  industrial  control  systems,  noting  the  success  of 
Stuxnet.  The  Forum  posted  a  broad  overview  of  super¬ 
visory  control  and  data  acquisition  (SCAD A)  systems, 
but  not  information  on  how  to  attack  them.  Congres¬ 
sional  testimony  after  Stuxnet  raised  concerns  about 
the  damage  caused  by  a  potential  Stuxnet-like  attack, 
but  no  testimony  warned  of  any  imminent  attack  or 
change  in  the  capabilities  of  terrorists.^^  Thus,  it  seems 
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that  Stuxnet  might  have  raised  awareness  but  did  not 
significantly  change  the  intent  or  interest  of  terrorists. 

TERRORIST  CAPABILITIES 

Having  established  that  terrorists  are  interested 
in  cyberattacks,  the  next  question  is  whether  terror¬ 
ists  are  building  up  capabilities  and  skills  for  such 
cyberattacks.  There  seems  little  doubt  about  their  in¬ 
tentions,  although  their  skill  levels  currently  are  not 
nearly  comparable  to  the  level  of  Stuxnet.  In  March 
2010,  testimony,  FBI  Director  Mueller  stated: 

We  in  the  FBI,  with  our  partners  in  the  intelligence 
community,  believe  the  cyber  terrorism  threat  is  real, 
and  it  is  rapidly  expanding.  Terrorists  have  shown  a 
clear  interest  in  pursuing  hacking  skills.  And  they  will 
either  train  their  own  recruits  or  hire  outsiders,  with 
an  eye  toward  combining  physical  attacks  with  cyber 
attacks.^^ 

It  is  true  that  a  multitude  of  easy-to-use  software 
attack  tools  are  readily  available  at  no  or  low  cost. 
For  a  small  investment,  attacks  such  as  DDoS  can  be 
waged  with  serious  and  costly  impact.  It  is  also  true 
that  Islamic  fundamentalist  organizations  such  as  Ha¬ 
mas,  al-Qaeda,  Algeria's  Armed  Islamic  Group,  Hez¬ 
bollah,  and  the  Egyptian  Islamic  Group  are  known  to 
be  versed  in  information  technology.  However,  the 
type  of  attacks  that  are  possible  with  low-cost  tools 
do  not  yet  rise  anywhere  near  the  level  of  "breaking 
things  and  killing  people."  It  is  very  unlikely  that 
any  terrorist  organization  such  as  al-Qaeda  will  be 
able  to  deploy  a  cyberattack  with  the  sophistication 
of  Stuxnet.  Stuxnet  was  developed  by  military  expert 
programmers  with  detailed  knowledge  about  their 
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targets.  It  would  take  enormous  time  and  human  re¬ 
sources  to  develop  that  level  of  sophisticated  skills. 
Although  terrorists  might  turn  to  the  underground 
to  hire  hackers  with  sufficient  skills,  Giampiero  Gi- 
acomello  has  argued  that  this  approach  is  unlikely, 
because  it  would  be  far  more  costly  than  traditional 
physical  attacks  that  terrorists  have  used  more  or  less 
successfully  in  the  past.^® 

In  addition  to  IT  skills,  an  important  element  of  ma¬ 
jor  cyberattacks  is  zero-day  exploits  (as  used  in  Stux- 
net),  because  no  patch  is  available  to  defend  against 
them.  There  is  a  thriving  market  for  zero-day  exploits, 
and  it  might  be  assumed  that  terrorists  might  be  able 
to  buy  them  easily  as  needed.  However,  there  is  also 
competition.  At  the  recent  Black  Hat  conference,  rep¬ 
resentatives  from  the  U.S.  military  and  intelligence 
community  were  among  the  thousands  of  attendees 
to  learn  about  vulnerabilities  and  buy  exploits  and 
software  tools,  among  other  things.  Many  of  the  com¬ 
panies  involved  in  discovering  vulnerabilities  and 
creating  exploits  are  in  Western  countries  unfriendly 
to  terrorists,  so  terrorists  may  find  it  very  difficult  to 
acquire  zero-day  exploits. 

Denning  described  a  model  for  assessing  cyberter¬ 
ror  capability  that  consisted  of  three  levels:^^ 

1.  Simple-unstructured:  the  capability  to  conduct 
basic  hacks  against  individual  systems  using  tools 
created  by  someone  else.  The  organization  has  little 
target  analysis,  command  and  control,  or  learning 
capability. 

2.  Advanced-structured:  the  capability  to  conduct 
more  sophisticated  attacks  against  multiple  systems 
or  networks  and  possibly  to  modify  or  create  basic 
hacking  tools.  The  organization  possesses  an  ele¬ 
mentary  target  analysis,  command  and  control,  and 
learning  capability. 
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3.  Complex-coordinated:  the  capability  for  coor¬ 
dinated  attacks  capable  of  causing  mass  disruption 
against  integrated,  heterogeneous  defenses  (including 
cryptography).  Ability  to  create  sophisticated  hacking 
tools.  Highly  capable  target  analysis,  command  and 
control,  and  organizational  learning  capability. 

Denning  reported  that  the  barrier  for  entry  beyond 
the  first  level  was  quite  high,  and  it  would  take  any 
organization  2-4  years  to  progress  from  level  1  to  2, 
and  another  6-10  years  to  advance  to  level  3.  Terror¬ 
ists  have  shown  evidence  mostly  of  level-1  activity  but 
arguably  progressing  to  level  2. 

Paying  for  Proxies. 

Terrorists  might  find  it  easier  to  pay  third  parties 
to  carry  out  attacks  for  them,  instead  of  developing 
their  own  skills.  There  are  three  reasons  to  believe  this 
could  be  an  appealing  approach: 

•  A  number  of  cybercrime  organizations  have 
been  well  established  for  several  years.  For  in¬ 
stance,  the  Russian  Business  Network  (RBN)  is 
well  known  for  creating  the  MPack  malware 
kit  and  operating  the  Storm  botnet.  The  cyber¬ 
crime  underground  deals  in  malware,  exploits, 
and  attack  tools,  among  other  activities. 

•  A  cyberarms  race  has  been  stimulated  by  Stux- 
net.  Virtually  every  modern  country  has  been 
building  up  offensive  and  defensive  cybercapa¬ 
bilities,  usually  within  defense  or  intelligence 
agencies.  For  instance,  the  Iranian  government 
reportedly  has  built  a  fairly  capable  hacker 
group,  and  Iran  is  friendly  to  terrorist  groups 
such  as  Hamas  and  Hezbollah.  As  nations 
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around  the  world  develop  "cyber  weapons," 
it  will  become  easier  for  terrorists  over  time  to 
acquire  attack  tools  from  friendly  nations. 

•  New  for-hire  hacker  groups  (or  "cyber  merce¬ 
naries")  are  emerging  to  profit  from  working 
for  clients.  For  example,  security  firm  Symantec 
reported  on  a  for-hire  group  of  50-100  hackers 
called  Hidden  Lynx.^”  The  group  is  suspected 
of  penetrating  more  than  100  organizations 
around  the  world  since  2009,  including  U.S.  de¬ 
fense  contractors,  investment  banks,  and  secu¬ 
rity  companies.  It  is  suspected  of  compromising 
security  firm  Bit9  in  2012,  a  company  that  sells 
an  "application  whitelisting"  service  to  other 
companies.  By  stealing  the  cryptographic  keys 
for  the  Bit9  service,  the  hacker  group  was  able 
to  compromise  other  companies  depending 
on  that  service,  including  military  contracting 
firms.  A  smaller  for-hire  group  called  Icefog 
was  reported  by  Kasperky  Labs.^^  This  group 
of  6-10  hackers  seems  to  specialize  in  surgical 
hit-and-run  attacks  on  the  supply  chain,  using 
custom-made  attack  tools. 

VULNERABILITIES  IN  U.S.  CRITICAL 
INFRASTRUCTURES 

It  is  well  known  that  about  90  percent  of  U.S.  criti¬ 
cal  infrastructure  is  privately  owned,  consisting  of  a 
wide  variety  of  custom-built  equipment,  though  the 
sector  is  moving  toward  more  common,  off-the-shelf 
systems.  Cybersecurity  tends  to  be  a  low  priority  for 
system  administrators,  and  systems  are  difficult  to 
patch.  Consequently,  many  vulnerabilities  continue  to 
exist.  Often,  a  mixture  of  private  and  public  networks 
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is  used.  Although  the  risks  of  public  networks  are 
well-known,  private  networks  can  also  be  equally  vul¬ 
nerable  to  intrusions,  though  owners  tend  to  believe 
they  are  safer  because  they  are  not  connected  to  public 
networks. 

The  number  of  vulnerabilities  appears  to  be  in¬ 
creasing  rapidly.  A  recent  vulnerability  report  by  NSS 
Labs  stated  that  SC  AD  A/ industrial  control  systems 
(ICS)  vulnerability  disclosures  increased  from  72  in 
2011  to  124  in  2012;  the  count  represents  a  600  percent, 
increase  from  2010.^^  The  124  vulnerabilities  affect  the 
products  of  49  vendors. 

Another  vulnerability  is  the  complexity  and  high 
connectedness  of  systems,  which  increases  the  risk  of 
cascade  failures  (seen  in  past  incidents  with  the  power 
grid).  The  government  states; 

This  vast  and  diverse  aggregation  of  highly  intercon¬ 
nected  assets,  systems,  and  networks  may  also  present 
an  attractive  array  of  targets  to  domestic  and  interna¬ 
tional  terrorists  and  magnify  greatly  the  potential  for 
cascading  failure  in  the  wake  of  catastrophic  natural 
or  manmade  disasters.^^ 

Electric  systems,  as  an  example,  are  not  designed 
to  withstand  or  recover  quickly  from  damage  inflict¬ 
ed  simultaneously  on  multiple  components.  A  well- 
planned,  coordinated  attack  could  take  down  portions 
of  the  electric  power  system  for  a  long  time. 

Although  vulnerabilities  exist,  intruders  need  ex¬ 
pertise  to  be  successful,  and  chances  are  that  only  a 
small  number  of  people  have  the  necessary  expertise 
for  a  given  control  system,  which  is  often  proprietary 
or  customized.  Although  not  many  attacks  on  criti¬ 
cal  infrastructures  have  been  publicized,  attacks  have 
been  known  to  happen.  In  August  2012,  Saudi  Ara- 
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bia's  state  oil  company,  Saudi  Aramco,  saw  more  than 
30,000  systems  infected  by  a  malware  attack.  Critical 
functions  like  oil  production  were  unaffected,  but  ba¬ 
sic  oil  operations  were  taken  down.  Shortly  after,  Qa¬ 
tar's  liquified  natural  gas  company,  RasGas,  suffered 
a  malware  attack  that  had  the  same  modus  operandi. 

Cyberattacks  might  become  easier,  given  the  re¬ 
cent  invention  of  the  SHOD  AN  search  engine  by  John 
Matherly.  SHOD  AN  is  a  search  engine  that  finds  spe¬ 
cific  types  of  computers  (routers,  servers,  etc.)  using  a 
variety  of  filters  on  service  banners.  SHOD  AN  crawls 
the  Internet  for  publicly  accessible  devices,  concen¬ 
trating  on  SCADA  systems.  Cybersecurity  researchers 
use  SHOD  AN  to  search  for  vulnerable  SCADA  sys¬ 
tems.  A  student,  Eireann  Leverett,  has  used  SHOD  AN 
to  demonstrate  he  could  find  10,000  ICS  connected  to 
the  public  Internet.  These  included  water  and  sewage 
plants,  which  were  easy  to  compromise  due  to  weak 
security.^^ 

WHY  NOT  A  MAJOR  CYBERATTACK 

Having  established  motive,  means,  and  opportu¬ 
nity  for  terrorists,  the  natural  question  is  why  a  major 
cyberattack  has  not  happened  yet.  It  seems  that  al-Qa- 
eda  and  other  terrorist  groups  still  prefer  bombs  and 
physical  attacks,  even  after  Stuxnet.^^  In  the  absence  of 
an  attack,  a  case  could  be  argued  that  cyberterrorism 
is  more  of  a  hypothetical  threat  than  a  real  one.^^  How¬ 
ever,  there  is  debate  about  whether  an  actual  cyber¬ 
attack  by  terrorists  has  happened. No  major  attacks 
have  occurred,  according  to  the  public  record,  some 
observers  have  speculated  that  attacks  have  happened 
but  have  been  kept  confidential  so  as  not  to  disclose 
weaknesses  in  the  national  infrastructure. 
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In  2007,  Denning  postulated  three  indicators  that 
could  precede  a  successful  cyberterrorism  attack;^^ 

1.  Failed  cyberattacks  against  critical  infrastruc¬ 
tures,  such  as  ICS.  Unlike  the  case  with  the  profes¬ 
sionally  developed  Stuxnet,  Denning  expected  that 
the  first  cyberterrorist  attack  would  likely  be  unsuc¬ 
cessful,  considering  that  even  terrorist  kinetic  attacks 
frequently  fail. 

2.  Research  and  training  labs,  where  terrorists 
simulate  their  cyberattacks  against  targets,  test  attack 
tools,  and  train  people.  Israel  reportedly  had  centri¬ 
fuges  at  its  Dimona  complex  to  test  Stuxnet  on. 

3.  Extensive  discussions  and  planning  relating 
to  attacks  against  critical  infrastructures,  not  just 
websites. 

So  far,  none  of  these  indicators  has  been  observed, 
which  would  imply  that  terrorists  are  not  trying  hard 
to  prepare  for  cyberattacks. 

Conway  has  argued  against  the  likelihood  of  cy¬ 
berterrorism  in  the  near  future.^®  Her  argument  con¬ 
sists  of  these  reasons: 

•  Violent  jihadis'  IT  knowledge  is  not  superior. 

•  Real-world  attacks  are  difficult  enough. 

•  Hiring  hackers  would  compromise  operational 
security. 

•  For  a  true  terrorist  event,  spectacular  moving 
images  are  crucial. 

•  Terrorists  will  not  favor  a  cyberattack  with  the 
potential  to  be  hidden,  portrayed  as  an  acci¬ 
dent,  or  otherwise  remaining  unknown. 

Perhaps  the  most  straightforward  explanation  of 
the  lack  of  observed  cyberattacks  is  the  cost-benefit 
argument  put  forth  by  Giacomello.'^®  He  compared  the 
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costs  of  traditional  physical  terrorist  attacks  with  cy¬ 
berattacks  of  the  "break  things  and  kill  people"  type. 
Specifically,  Giacomello  estimated  the  costs  of  three 
cyberterrorism  scenarios  aimed  at  the  power  grid;  a 
hydroelectric  dam;  and  an  air  traffic  control  system.  If 
the  power  grid  was  viewed  as  an  unlikely  target,  fa¬ 
talities  will  be  indirect  or  accidental.  For  a  hydroelec¬ 
tric  dam,  the  cost  is  based  on  a  historical  incident  of  an 
insider  sabotaging  the  controls  at  the  dam.  Somewhat 
arbitrarily,  the  estimate  assumed  two  proficient  hack¬ 
ers  with  supporting  personnel,  totaling  up  to  $1.3  mil¬ 
lion.  For  an  air  traffic  control  system,  a  higher  num¬ 
ber  of  skilled  hackers  are  needed  to  compromise  the 
system,  prevent  the  air  controllers  from  detecting  and 
responding  to  the  intrusion,  and  defeat  built-in  safety 
mechanisms.  Again,  it  is  not  explicitly  stated,  but  a 
year  of  work  seems  to  be  assumed,  since  the  total  is 
based  on  a  year's  salary.  The  resulting  estimated  cost 
was  up  to  $3  million. 

For  comparison,  Giacomello  pointed  out  that  the 
World  Trade  Center  bomb  cost  only  $400  to  build, 
yet,  it  injured  1,000  people  and  caused  $550  million  of 
physical  damages.  The  March  2004  attacks  in  Madrid, 
exploding  10  simultaneous  bombs  on  four  commuter 
trains  using  mining  explosives  and  cellphones,  cost 
about  $10,000  to  carry  out.  The  9/11  Commission  Re¬ 
port  stated  that  the  9/11  attacks  cost  between  $400,000 
and  $500,000  to  plan  and  execute.^^ 

An  examination  of  these  comparative  costs  makes 
it  clear  that  bombs  are  a  much  cheaper  approach  than 
cyberattacks  by  orders  of  magnitude.  Stuxnet,  esti¬ 
mated  to  have  cost  millions  of  dollars,  does  not  change 
the  cost-benefit  comparison.  At  the  present  time  and 
in  the  near  future,  cyberattacks  of  the  "break  things 
and  kill  people"  type  require  an  enormous  amount  of 
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effort  by  highly  skilled  experts.  In  contrast,  bombs  can 
be  made  cheaply  and  deployed  without  skilled  effort. 
In  addition,  physical  attacks  are  appealing  because  of 
the  higher  certainty  of  success. 

This  argument  points  to  two  fallacies  in  popular 
thinking.  First,  there  is  sometimes  a  misconception 
about  the  cost  of  cyberattacks.  For  example,  Weimann 
stated  that  cyberterrorism  would  be  attractive  because 
cyberattacks  require  only  a  PC  and  Internet  connec¬ 
tion.  This  is  true  for  simple  attacks,  but  terrorists 
would  aim  for  more  sophisticated  attacks  requiring 
a  high  level  of  skill.  Second,  there  was  concern  that 
Stuxnet  could  fall  into  the  hands  of  terrorists,  who 
would  then  use  it  against  the  United  States.  Clearly, 
by  now,  Stuxnet  would  no  longer  be  effective  after  the 
world  had  seen  its  set  of  exploits.  Although  terrorists 
could  modify  Stuxnet  for  their  own  purposes,  it  is  a 
high-precision  weapon  designed  for  a  specific  target. 
Terrorists  would  need  to  replace  at  least  its  payload 
and  exploits,  which  would  require  a  high  level  of  ex¬ 
pertise  and  time  and  still  have  an  uncertain  chance 
of  success. 

However,  the  cost-benefit  argument  does  not  com¬ 
pletely  rule  out  the  possibility  of  cyberattacks  as  a 
means  to  complement  physical  attacks.  In  that  case, 
the  cyberattacks  could  be  much  more  modest,  not  nec¬ 
essarily  of  the  "break  things  and  kill  people"  type.  For 
instance,  a  cyberattack  that  takes  down  a  communi¬ 
cation  network  or  emergency  system  during  a  crisis 
caused  by  a  physical  attack  could  be  very  effective  in 
amplifying  the  total  impact. 

In  addition,  it  is  quite  possible  that  development 
costs  for  Stuxnet-like  malware  could  decrease  in 
the  future  (as  is  usually  the  case  with  software  and 
hardware).  If  that  happens,  the  cost-benefit  argument 
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could  predict  a  point  in  the  future  when  cyberattacks 
become  attractive  for  terrorists. 

CONCLUSIONS  AND  RECOMMENDATIONS 

Previous  sections  have  examined  motive,  means, 
and  opportunity  for  cyberterrorism.  Our  findings  can 
be  summarized  as; 

•  Terrorists  are  familiar  with  IT  technologies  and 
depend  on  the  Internet  for  many  common  ac¬ 
tivities,  similar  to  most  people. 

•  Terrorists  are  interested  in  cyberattacks  but  not 
at  a  high  level  of  sophistication  yet. 

•  Terrorists  have  not  built  up  a  high  level  of  cy¬ 
ber  skills  or  capabilities  (e.g.,  acquiring  zero- 
day  exploits)  yet. 

•  Instead  of  developing  their  own  capabilities, 
terrorists  might  seek  help  from  friendly  nations 
or  for-hire  hackers. 

•  Vulnerabilities  existing  in  national  infrastruc¬ 
tures  present  opportunities  for  cyberattacks 
but  require  a  high  level  of  expertise  to  exploit. 

•  The  absence  of  cyberterrorist  attacks  might  be 
explained  most  simply  by  a  cost-benefit  argu¬ 
ment  that  physical  attacks  are  orders  of  magni¬ 
tude  less  costly  than  cyberattacks. 

•  Stuxnet  has  not  seemed  to  have  changed  signifi¬ 
cantly  the  motive,  means,  or  opportunity.  And, 
despite  concerns  by  some,  it  has  not  changed 
the  cost-benefit  trade-off  either. 

The  last  point  implies  that  even  after  Stuxnet,  ter¬ 
rorists  still  face  a  considerable  cost  barrier  to  carrying 
out  large-scale  cyberattacks.  Therefore,  such  cyberat¬ 
tacks  are  probably  unlikely  in  the  near  future.  How- 
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ever,  Stuxnet  does  have  long-term  implications,  be¬ 
cause  the  world  has  started  on  a  cyberarms  race.  In  the 
long  term,  there  is  likely  to  be  a  proliferation  of  major 
"cyber  weapons,"  which  might  fall  into  the  hands 
of  terrorists. 

There  seems  little  that  can  be  done  to  change  mo¬ 
tive  for  terrorists.  Some  have  proposed  the  idea  of 
deterrence,  but  it  is  questionable  whether  deterrence 
is  possible  in  cyberwarfare  in  the  same  way  that 
nuclear  deterrence  worked  through  fear  of  mutually 
assured  destruction  (MAD).  Deterrence  is  predicated 
on  the  possibility  of  discouraging  terrorists  from  at¬ 
tack  by  presenting  a  strong  likelihood  of  retaliation. 
Unfortunately,  the  cyberenvironment  is  completely 
different  from  the  nuclear  environment,  in  which 
nuclear  weapons  can  be  traced  and  counted.  In  order 
to  be  effective,  cyber  deterrence  must  overcome  a  few 
practical  obstacles. 

The  first  and  most  obvious  problem  is  attribution  — 
the  identification  of  the  real  source  of  a  cyberattack. 
Attackers  have  the  advantage  of  plausible  deniability 
in  cyberspace.  Attribution  is  difficult  because  cyberat¬ 
tacks  can  be  anonymized  in  many  ways.  In  malware 
attacks,  the  creator  is  very  difficult  to  discover  from 
code  disassembly.  The  second  practical  problem,  even 
if  attribution  can  be  solved,  is  credible  capacity  for 
destructive  retaliation.  Probably  no  one  doubts  the  of¬ 
fensive  capability  of  the  United  States,  but  it  has  not 
been  demonstrated  yet. 

Also,  there  seems  little  that  can  be  done  to  change 
means  for  terrorists.  Although  terrorists  do  not  have  a 
high  level  of  cybercapabilities  yet,  it  would  be  practi¬ 
cally  difficult  to  prevent  them  from  acquiring  skills  or 
help  from  third  parties.  Cybersecurity  knowledge  is 
freely  available,  and  the  barrier  is  low  for  terrorists  to 
acquire  training  in  cybersecurity. 
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The  only  factor  that  is  feasible  to  address,  then, 
is  opportunity.  Specifically,  policies  should  enhance 
protection  of  national  infrastructures  to  reduce  the 
risk  exposure  to  cyberattacks.  Fortunately,  the  U.S. 
Government  has  already  placed  top  priority  on  vul¬ 
nerabilities  in  critical  infrastructures,  and  a  new  Cy¬ 
ber  Intelligence  Sharing  and  Protection  Act  (CISPA) 
is  under  consideration,  which  is  intended  to  facilitate 
security  information  sharing  and  enhance  protection 
of  critical  infrastructures.  However,  it  is  not  certain 
whether  the  Act  will  be  sufficiently  comprehensive 
and  enforceable.  For  instance,  some  of  the  measures 
are  voluntary  rather  than  mandatory.  Without  man¬ 
datory  measures  to  improve  critical  infrastructure  se¬ 
curity,  it  will  be  important  to  implement  appropriate 
economic  incentives  to  encourage  desired  actions. 

Also,  the  National  Infrastructure  Protection  Plan 
(NIPP)  provides  a  unifying  framework  that  integrates 
a  range  of  efforts  designed  to  improve  protection  of 
critical  infrastructures.  NIPP  aims  to  prevent,  deter, 
neutralize,  or  mitigate  the  effects  of  a  terrorist  attack 
or  natural  disaster,  and  to  strengthen  national  pre¬ 
paredness,  response,  and  recovery  in  the  event  of  an 
emergency.  It  takes  a  risk-management  approach  con¬ 
sisting  of  identifying  assets  and  assessing  threats  and 
vulnerabilities. 

All  measures  to  reduce  the  opportunity  for  cyber¬ 
terrorists  are  recommended.  However,  the  adaptive¬ 
ness  and  resourcefulness  of  terrorists  should  not  be 
underestimated.  The  NIPP  says; 

As  security  measures  around  more  predictable  targets 
increase,  terrorists  are  likely  to  shift  their  focus  to  less 
protected  targets.  Enhancing  countermeasures  to  ad¬ 
dress  any  one  terrorist  tactic  or  target  may  increase  the 
likelihood  that  terrorists  will  shift  to  another.^^ 
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The  openness  of  the  security  problem  means  that  it 
will  be  practically  impossible  to  fix  every  vulnerability 
and  eliminate  all  opportunities  for  terrorists.  Perhaps 
policies  should  recognize  that  cyberattacks  are  inevi¬ 
table  and  instead  address  the  cost-benefit  proposition 
for  terrorists.  If  systems  can  be  designed  to  increase 
costs  and  reduce  benefits  to  adversaries,  attacks  will 
become  less  appealing. 
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